EU to Issue Guidance on Making Coronavirus Tracking Data Anonymous

European governments will clarify by next week how companies can use personal data for coronavirus research

Telecoms carriers across Europe recently started sharing anonymized mobile location data with authorities to assess whether residents are traveling less during lockdowns. Pictured, a woman in Turin, Italy.

European regulators are scrutinizing how telecommunications operators and technology companies use personal data to track the spread of the coronavirus pandemic.

As governments in Europe oversee a dramatic expansion in data-sharing between the public and private sectors, officials and companies involved in the effort to get ahead of the virus have said they will comply with privacy laws such as the 2018 General Data Protection Regulation.

European Union countries will agree on guidance by next week for how companies should anonymize customer data, or strip it of information that might identify individuals, the European Commission, the bloc’s executive arm, said Wednesday. The EU will also recommend how public authorities can test companies’ methods to guarantee data remains anonymous, and recommend safeguards to prevent mistakes that could reveal an individual’s identity.

Privacy regulators from EU countries are also drafting guidance on anonymization techniques, the regulators’ umbrella group said Tuesday. Businesses and governments say they are relying in part on anonymized data to analyze the spread of the coronavirus, but some experts say it will be difficult to guarantee that data can’t be traced back to individuals.

“Individual-level location data, when you look at a phone traveling around for a certain period of time, would be extremely hard to anonymize,” said Yves-Alexandre de Montjoye, an assistant professor in the department of computer science at Imperial College London.

Telecoms carriers across Europe recently started sharing anonymized mobile location data with authorities to assess whether residents are traveling less since governments ordered people to stay home to slow infection rates.

Anonymization methods to make data nonpersonal include using encryption to make data only available to anyone with a decryption key, or masking sensitive details with a hash, or unrelated value, which makes it unreadable.

Nonpersonal data is exempt from the GDPR’s provisions, meaning that anonymization has become an important process for many companies that collect data to use in artificial intelligence algorithms, or to develop products and market services. If the data wasn’t anonymized, consent would have to be sought from each individual, said Ahmed Baladi, a partner in the Paris office of law firm Gibson, Dunn & Crutcher LLP.

Some regulators have criticized these coronavirus tracking initiatives. The Dutch data protection authority said last week that mobile carriers can’t guarantee that supposedly anonymized data won’t be traced back to an individual customer. Its Slovenian counterpart said last week that a data-collection plan by a public health institute could expose personal information if combined with other sources.

“It’s very hard to achieve anonymization with a strong-enough degree of certainty,” a spokeswoman for the regulator said.

To avoid falling foul of the GDPR, companies should assume that location data is always personal because it could identify an individual if matched with other sources such as surveillance camera footage, said Michèle Finck, a senior research fellow at the Max Planck Institute for Innovation and Competition Law.

European authorities have offered different opinions about the use of anonymized data.
Deutsche Telekom AG
recently started sharing anonymized customer location data with Germany’s main public health institute to help researchers understand travel habits and predict the spread of the coronavirus, WSJ Pro Cybersecurity reported last month. Germany’s federal data protection regulator said Deutsche Telekom’s method to anonymize data didn't pose significant privacy risks. The Italian privacy authority told lawmakers Wednesday that anonymized location data doesn’t pose issues and could help epidemiologists’ forecasting.

In most cases, a combination of four different data points about a person’s movements could still identify him or her, even if the data is anonymized, Imperial’s Mr. de Montjoye said.

However, if companies first aggregate the data of a large group—for example, people commuting between cities—before applying anonymization techniques, it is much easier to properly strip out identifiers, he said.

Companies often struggle to understand which methods are both effective and compliant with the GDPR, said Gibson, Dunn & Crutcher’s Mr. Baladi.

“It’s key to make sure you’ve closed all the doors around you and no one else is able to re-identify the individual,” he said.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.